UPDATE August 6, 2011: The number of websites infected with this had risen to over 5 million. The prevention of this type of attack is really quite simple – and something we’ve been applying to clients websites for some time.

Currently 100,000+ osCommerce (and variations of osCommerce) pages have been infected with an iframe that points to: willysy(dot)com.

Our research finds these iframes in the title tags and at various img tag locations throughout the webpages which led us to look in the database.

We see the code in the title tags at the top of the page, inserted as the description of the store logo, following the “images/store_logo.png” or “images/logo.gif” and other similar logo links. and also in the copyright section in many web pages:

Our suggestion is to export the entire database, download it to your local computer and search for any strings with “iframe” (no quotes) in them. A few of these iframe strings have been obfuscated, so also look for the string: document.write.

Other domains used in this attack are:

exero.eu

yandekapi.com

It’s certain that more will follow.

Our research indicates that most of these websites are osCommerce or an osCommerce related website. In 89% of the websites we investigated, they have left the admin folder unchanged, which means they have not followed the recommendation of renaming the admin folder. Since this is a simple process, I would tend to believe that they have not followed other security recommendations and left their websites open to an attack.

Rename the admin folder to something that does not include the word ‘admin’

Depending on what version of osCommerce you’re running, you should modify the code in application_top.php (2 files) to eliminate the $PHP_SELF

You should disable define_language.php and file_manager.php

Use various methods to prevent the configuration.php/login.php in the URL

You may also find additional users in your administrators table. Hackers have been adding these as well. Many of them will have their own email address as well so that a request to reset a password will go to them.

Various .php backdoors and some Perl shell scripts might be added to your website as well. The hackers have been using a variety of these in order to maintain control of the website.

First, make a backup of your database. Then after all these database entries have been found and removed, you’ll have to change the password to your database as they obviously know what it is and then import your database.

All of this needs to be cleaned up.

If you need help in cleaning this up, please send an email to support@wewatchyourwebsite.com or call me directly at (847)833-5666

This particular URL would show the attacker the configure.php file. There is no patch, that we know of yet, that prevents this attack. The best advice we’ve seen is to rename the admin folder something obscure so the hackers can’t just scan your site with this URL and find the file_manager.php file.

Other exploits we’ve seen use the same basic URL but the action variable is set as follows:

admin/file_manager.php/login.php?action=save

Then a URL to a remote site that stores a backdoor shell script. This backdoor then gets saved to the website. All a hacker has to do is to access the URL:

hxxp://[site]/osCSS/[name of shell script backdoor].php

and they have remote access to the site.

Again, if the admin folder is renamed to something obscure, this attack won’t work. This type of protection is aptly named, “security by obscurity” because all you’re doing is hiding the folder from the attacker, but until an official patch is released, this seems to be the best advice.

If you’ve been attacked by this and have some further information, please post a comment or email me at: traef@wewatchyourwebsite.com

If you need help in cleaning this up and checking for all backdoors on your site, please contact me directly at: traef@wewatchyourwebsite.com